[openssl-dev] [openssl.org #4521] openssl GCM ordering

[Andy Polyakov]

>         Is there is a reason why openssl has restriction of auth before
>         encrypt
>         order ? I dont believe there is an algo restriction, was
>         wondering why
>         openssl has this.
> 
> 
>     It *is* inherent in the algorithm. The authentication tag for the
>     AAD is computed first, then the authentication tag for the encrypted
>     data is computed.
> 
> [praveen] From the NIST documentation it is not that clear (SP-800-38D
> page 15).

Yes, it is, clear that is.

> *       5. Define a block, S, as follows: S = GHASHH (A || 0v || C || 0u
> || [len(A)]64 || [len(C)]64). *

It says GHASH over AAD *followed* by Ciphertext, etc.

> I agree, but I was talking about auth only part. For example, in a
> packet that need to be replicated, the outer header will change for each
> recipient, but the payload will remain same. Was wondering if I can
> benefit by skipping the C part for the subsequent copies. 
> 
> I totally understand for HW implementation it does NOT make sense. But
> was curious why this restriction?

What restriction? Initial question was why does CRYPTO_gcm128_aad work
the way it does (and the answer is to comply with specification), and
now it seems to be shifting toward more philosophical why does
specification look the way it does? Point is that it looks like a wrong
question is being asked. One should rather wonder what would it take to
make so to say "fan-out" operation comply with specification, i.e.
manufacturing compliant MACs given same initial parameters and
pre-encrypted payload. Obviously it would have to take dedicated effort
and dedicated interface, say CRYPTO_gcm128_noencrypt(ctx,in,len) in
place for CRYPTO_gcm128_encrypt that would do the hashing of the
pre-encrypted payload. However! This doesn't mean that it's actually
appropriate to implement and do. I mean, as already pointed by others,
it doesn't sound like GCM is the right choice for "fan-out"...